prometheus

Monitoring & Metrics

Prometheus is a systems and service monitoring system that collects metrics from configured targets, evaluates rules, displays results, and triggers alerts.

Track releases GitHub Website

Go Latest v3.12.0 · 6d ago Security brief →

Features

Multi-dimensional data model with metric name and key/value dimensions
PromQL – a powerful query language leveraging dimensionality
Autonomous single‑server nodes without dependency on distributed storage
HTTP pull model for time‑series collection (with optional push via gateway)
Service discovery and static configuration for target discovery

Recent releases

View all 11 releases →

Upgrade now

v3.12.0 Breaking risk 6d

Auth RCE / SSRF

Reject oversized snappy remote writes; fix secret exposure

Open

v3.11.3 Security relevant 1mo

Security fixes

AzureAD OAuth client_secret exposed in plaintext via /-/config endpoint (CVE-2026-42151, GHSA-wg65-39gg-5wfj)
Remote-read snappy-compressed requests with excessive decoded length (CVE-2026-42154, GHSA-8rm2-7qqf-34qm)
Old UI stored XSS via unescaped le label values in heatmap (GHSA-fw8g-cg8f-9j28)

Full changelog

This release fixes mutiple security issues.

We would like to thank the following people for the responsible disclosures:

Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability.
Brett Gervasoni for the AzureAD OAuth client_secret vulnerability.
@iiihaiii and @Ngocnn97 for the Old UI XSS vulnerability.
[SECURITY] AzureAD remote write: Fix OAuth client_secret being exposed in plaintext via /-/config endpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 #18590
[SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 #18584
[SECURITY] UI: Fix stored XSS via unescaped le label values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 #18588

View release on GitHub

v3.5.3 Security relevant 1mo

Security fixes

AzureAD OAuth client_secret exposure via /-/config endpoint (GHSA-wg65-39gg-5wfj / CVE-2026-42151)
Remote-Write snappy decompression decode limit bypass
Remote-Read snappy decompression decode limit bypass (GHSA-8rm2-7qqf-34qm / CVE-2026-42154)

Full changelog

This release fixes mutiple security issues.

We would like to thank the following people for the responsible disclosures:

Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability.
Brett Gervasoni for the AzureAD OAuth client_secret vulnerability.
@iiihaiii and @Ngocnn97 for the Old UI XSS vulnerability.

[SECURITY] AzureAD remote write: Fix OAuth client_secret being exposed in plaintext via /-/config endpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 #18587
[SECURITY] Remote-Write: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. #18591
[SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 #18585
[SECURITY] UI: Fix stored XSS via unescaped le label values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 #18589

View release on GitHub

v3.11.2 Security relevant 1mo

Security fixes